How Fidelis Network® Delivers Forensic-Level Visibility Across Hybrid Environments

March 27 • 4:08 pm

Tags:

No tags

Key Takeaways

Fidelis Deep Session Inspection (DSI) captures full communication sessions across hybrid environments (on-premises + AWS/Azure/GCP) for forensic-level network visibility

Reconstructs TCP streams, decodes nested protocols (HTTP/S, SMB, TLS where permitted), extracts C2 commands, files, credentials

Agentless cloud coverage via VPC Traffic Mirroring, NSG integration—no cloud agents needed

Generates court-ready PCAP/JSON exports with MITRE ATT&CK mapping for investigations

Network DLP prevents data exfiltration during forensic capture

Terrain mapping visualizes security posture across IoT/OT/cloud infrastructure

Unifies threat detection, sandboxing, incident response in one platform

Hybrid environments combine on-premises data centers with public cloud platforms like AWS, Azure, and GCP. This creates complex east-west traffic and north-south flows where advanced cyber threats hide in encrypted tunnels. Fidelis Network® addresses this challenge with patented Deep Session Inspection (DSI) technology. DSI captures communication sessions across monitored network segments, recursively decodes nested protocols, data, and extracts network forensic evidence for hybrid networks.

DSI reconstructs communication sessions and unpacks layered protocols like HTTP-over-TLS-over-SMB. This reveals digital forensic artifacts such as embedded files, C2 commands, stolen credentials, and metadata trails that are ready for incident responses and investigations.

How Deep Session Inspection Provides Forensic Visibility

Traditional network monitoring tools operate at the packet or flow level. Flow-based tools provide snapshots. Netflow analysis tools deliver flow summaries. All struggle with context from encrypted tunnels or nested payloads. Fidelis Network® DSI follows three clear steps:

Session Capture: Records complete traffic across monitored network segments where sensors are deployedProtocol Decoding: Unpacks HTTP/S, SMB, RDP, DNS, FTP, and inspects TLS-encrypted sessions where decryption policies permit. This reveals embedded contentArtifact Extraction: Delivers files, commands, C2 beacons, IP addresses, and application data with session context

Real Attack Example: RDP lateral movement from on-premises data centers to Azure VMs. DSI reconstructs the session, showing stolen NTLM hashes, PowerShell commands, and staged files. This is that evidence investigators can trace across hybrid boundaries.

This deep session inspection significantly reduces visibility gaps across monitored network ports and protocols.

Hybrid Deployment Coverage. No Cloud Agents Required

Fidelis Network® captures traffic flow across hybrid environments:

EnvironmentDeployment MethodTraffic CapturedKey Benefits

On-Premises Data CentersAppliances via SPAN/TAP ports, GRE tunnelsVLANs, switches, critical applicationsComprehensive protocol decodePrivate CloudsVMware/KVM virtual sensorsVM-to-VM flows, storage networksScales with virtualizationAWSVPC Traffic MirroringVPCs, EKS clusters, S3 accessNative cloud environments visibilityAzureNSG integration + VNet sensorsAKS clusters, Azure SQLVisibility into NSG-governed trafficGCPPacket MirroringGKE pods, Cloud Run workloadsReal-time cloud workload coverage

Deployment Options:

IoT devices, IT/OT systems, smart devices, and containers appear in unified views across private connections and public internet paths.

Network Forensics Evidence for Investigations

Fidelis generates digital evidence that security and legal teams can rely on for incident response and legal review:

Core Capabilities:

Export Formats:

FormatContainsPerfect For

Alert‑triggered PCAP snippetsPartial session capture from DLP or policy‑triggered alertsInvestigating specific incidents in Wireshark or packet analyzersJSON ExportsFiles, metadata, commands, and session contextSIEM/SOAR tools (e.g., Splunk Enterprise Security, Cortex XSOAR, similar platforms)CSV ReportsRisk-scored network eventsCompliance audits and spreadsheet‑based analysisSTIX/TAXII PackagesThreat intelligence, indicator feeds, CTIThreat‑sharing and XDR/SOC integrations

Data Exfiltration Investigation:

Network forensics shifts from days of log parsing to hours of focused analysis.

Hybrid Network Forensics Readiness Guide: Before your next incident tests your visibility, validate it.

Prevention During Forensic Capture

Fidelis captures evidence while preventing threats:

Ransomware Scenario: SMB enumeration triggers session capture. DSI builds forensic evidence while Network DLP prevents encryption across hybrid networks.

Fidelis vs. Other Network Detection Solutions

FeatureFidelis Network®Behavioral NDRFlow-Based ToolsBasic Packet Capture

Encrypted AnalysisSession decode + extractionMetadata onlyFlow headersRaw streamsSession ReconstructionPatented DSIAnomaly patternsNetFlow summariesManual sortingForensic ExportsPCAP/JSON + MITREAlert logsRaw dumpsUntagged capturesCloud CoverageNative VPC/NSG integrationAgents requiredPartial parsingMirror dependencyInline DLPDLP rules are optional and can be applied to DSI‑identified sessions for data‑loss prevention and capture.Separate toolMonitoring onlyNone

Fidelis provides agentless hybrid coverage through native cloud integrations, unifying network forensics and security.

Proven Hybrid Threat Scenarios

Manufacturing (on-premises + AWS EKS): Detects SMB lateral movement across production networks Reconstructs C2 to S3 buckets Maps ransomware attack chain

Financial Services (Azure + data center): Identifies IP exfiltration to personal cloud services Reconstructs complete access patterns Supports termination proceedings

Healthcare (GCP migration): Discovers misconfigured GKE workloads Reconstructs unauthorized API sessions Documents compliance issues

Seamless Security Ecosystem Integration

Terrain mapping visualizes security posture across on-premises data centers, private clouds, and public cloud platforms. Every connected device, workload, and traffic flow.

Why Security Teams Choose Fidelis for Hybrid Network Forensics

Patented Deep Session Inspection
DSI reconstructs complete sessions with content extraction from network traffic. These are capabilities that typically require multiple tools.

Agentless Hybrid Coverage
Native AWS VPC Traffic Mirroring, Azure NSGs, GCP Packet Mirroring capture east-west traffic without cloud agents.

Investigation-Ready Evidence
Alert details are typically exported as JSON or PDF for analysis; PCAP is available as an optional export for deeper forensic review.

Unified Prevention + Forensics
Network DLP rules may block data loss during DSI inspection, while sandboxing analyzes payloads to stop malware execution.

Enterprise-Scale Architecture
Petabyte‑scale data access across large hybrid networks with terrain mapping and automated workflows.

Article Summary: Hybrid Network Forensics

Hybrid Visibility GapFidelis Network® CapabilityForensic-Level Outcome

East-west traffic blind spots across on-premises and cloud environmentsDeep Session Inspection (DSI) session reconstructionDeep protocol decoding across hybrid infrastructure with complete session contextEncrypted tunnel payloads and nested protocolsRecursive protocol decoding and TLS inspection where policy permitsExtracted C2 commands, embedded files, and reconstructed attack activityInvestigation evidence gaps during incident responsePCAP and JSON exports with MITRE ATT&CK technique mappingInvestigation-ready digital evidence for legal and compliance reviewReal-time data exfiltration across hybrid networksInline Network DLP inspection during session analysisThreat blocking while preserving complete session evidenceMulti-environment complexity across data centers and public cloudTerrain mapping with high-capacity session storageUnified security posture visibility across hybrid environments

Core Relationship: Fidelis Network® → DSI technology → forensic visibility across hybrid environments

Frequently Ask Questions

How does Deep Session Inspection differ from DPI tools?

DPI tools inspect traffic at the packet level and can miss multi-packet or encrypted sessions. Deep Session Inspection (DSI) reconstructs complete communication sessions and decodes nested protocols and data like HTTP over TLS over SMB. This reveals digital forensic artifacts such as files, C2 commands, and malware payloads that DPI tools often overlook.

Can Fidelis analyze encrypted traffic across cloud platforms?

Yes, where decryption policies allow. DSI provides deep session inspection into TLS-encrypted sessions plus metadata analysis across AWS, Azure, and GCP cloud platforms through VPC Traffic Mirroring, NSG integration, and Packet Mirroring.

How does Fidelis achieve hybrid network visibility without cloud agents?

Native cloud integrations capture traffic flow through AWS VPC Traffic Mirroring, Azure Network Security Groups, GCP Packet Mirroring, plus SPAN/TAP for on-premises and virtual sensors for VMware. Terrain mapping creates unified hybrid network security.

What network forensics evidence supports legal investigations?

Fidelis Network® delivers session reconstruction, extracted files with metadata, MITRE ATT&CK mappings, and timestamped PCAP exports. These form complete digital evidence packages for data breach investigations and compliance.

Can Fidelis scale for large hybrid networks with IoT/OT?

Distributed sensors and high‑capacity session data access handle IoT endpoints, OT systems, containers, and cloud workloads across large hybrid networks.

The post How Fidelis Network® Delivers Forensic-Level Visibility Across Hybrid Environments appeared first on Fidelis Security.